I talked with Anand about his impressions of the Note 8 after reading his hands on piece, and one thing that struck me was a mention of how Samsung was going to aggressively go after the enterprise market in the USA for a few reasons. First, a lot of its marketing has focused on SAFE (SAmsung For Enterprise) which is a combination of improved EAS (Exchange ActiveSync) policies, and improved MDM (Mobile Device Management) integration with more toggles and sliders for IT Admins in enterprise roles. Second, because once you win the enterprise market you're guaranteed some market loyalty and a long tail of sales thanks to the slower pace of enterprise acquisition and certification. I didn't really appreciate the full meaning of just how much Samsung was going after the enterprise business until I learned about their plans for another product geared at enterprise policy enforcement, called KNOX, and Samsung truly wants to be the one who KNOX.

KNOX builds on SAFE by basically adding two parts - a fully secure boot chain, and a new container based sandbox for Android. The idea is for Samsung to both become desirable for enterprise businesses, and enable even greater BYOD (Bring Your Own Device) functionality by shipping a single SKU that can easily be attached to an enterprise login and managed. At the same time, the container model means that consumers bringing their devices to a particular business and then leaving won't lose anything other than the container data if they leave and have their devices wiped remotely. The result is a win-win in theory for IT Admins who want more control over the devices being brought into the fray, and employees who don't want to lose personal data in the case of a device wipe, or have privacy concerns from the control IT Admins have over the platform.  

First is that secure platform story, which begins with secure boot chain which only boots signed code, then SE Android (Security Enhanced Linux for Android), and TrustZone Integrity Monitoring (TIMA). Samsung will have more information about the hardware and software level for KNOX available in a whitepaper later this week. There are some obvious interesting implications to say the least for what this will mean for enthusiast users who want to run their own arbitrary third party ROMs on devices, especially since the secure boot chain will ship enabled in markets targeted for KNOX and on "iconic devices" at the high end to make them BYOD-capable. 

The second part is the secure, enterprise-controlled container, which exposes itself as an application icon or shortcut in Android, and takes you into another instance of Android which is completely sandboxed or containered from the user's side. Admins then get complete control over the container, including what apps exist inside, all while maintaining the same Android UI and platform. Email, browser, contacts, calendars, and so on exist inside the container sanitized from the personal outside Android. 

KNOX will include certification for FIPS 140-2 (DAR, DIT), Government Root of Trust, US DOD CAC/PIV, and US DOD Mobile OS SRG on applicable devices. In addition KNOX includes more IT policies for MDM APIs, and ActiveDirectory based management for enterprises who don't have an MDM solution or don't want to use Exchange.

The rest of the story is really one of timing and focus. Samsung says it is targeting KNOX heavily at the US market, and obviously compliance with so many federal and government security standards makes that much obvious. Timing wise, KNOX will ship on "iconic devices" in Q2 2013. 

Comments Locked


View All Comments

  • twotwotwo - Monday, February 25, 2013 - link

    A device can do the whole DRM/container "trust" thing but still let untrusted OSes run, just with fewer capabilities. UEFI secure boot/Windows implement something like this, I think. Basically, hardware stores a crypto key or the like that's accessible only while a trusted OS is running--it's a fancier version of "flashing your device voids your warranty."

    I think for their own sake Samsung should take the "make alternate ROMs detectable" route rather than depend on fully locking out other ROMs. For one thing, if they fully lock out ROMs, they're enlisting the whole xda-developers type world to try and break their devices' bootloaders, which (as we've seen) will happen, then happen again, and that can't be good for the security reputation they're trying to create. Whichever way they've gone, the ship's probably already sailed, so looking forward to seeing if I need to go for a Nexus again next cycle, heh.
  • Egg - Monday, February 25, 2013 - link

    Can trusted and untrusted OSes be run simultaneously, though? All I've heard was you can do some sort of dualboot.
  • Dean.Collins - Thursday, April 25, 2013 - link

    Be aware Verizon are forcing you to change over to tiered data plans when upgrading to the Samsung S4 ..... hope you don't mind switching to sprint or Tmobile for an unlimited handset the way it was designed to be used.

Log in

Don't have an account? Sign up now